I am facing an issue and need your expert advice. I get constant brute force attacks warnings in directadmin from IPs in Russia & China etc etc.
The messages are something like
Feb 27 04:31:15 host1 dovecot[2387]: pop3-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<[email protected]>, method=PLAIN, rip=194.63.XXX.XXX, lip=XX.XX.99.210, session=<aC8bgAkQ2ADCP45l>
Feb 27 04:31:05 host1 exim[2385]: exim: Aborted login (auth failed, 10 attempts in 20 secs): user=<[email protected]>, method=PLAIN, rip=194.63.XXX.XXX, lip=XX.XX.99.210, session=<aC8bgAkQ2ADCP45l>
It is not a commercial hosting so only 4-5 different ip addresses actually logs into the email clients to check emails.
So I have decided to block all ip addresses accessing port 25, 465, 587 by putting this in the /etc/csf/csf.deny
tcp:in:d=25:s=0.0.0.0/0
tcp:in:d=465:s=0.0.0.0/0
tcp:in:d=587:s=0.0.0.0/0
And i allowed my ip addresses in the /etc/csf/csf.allow Is this a good idea? Can still outside world email me? Port 25 is blocked?
tcp:in:d=25:s=124.12.0.0/20
tcp:in:d=465:s=124.12.0.0/20
tcp:in:d=587:s=124.12.0.0/20
Please advise.
Thank you so much.
Server: Debian GNU/Linux 7.5 x86_64 / Direct Admin / CSF Firewall
A good solution would be to use Fail2ban.
Fail2ban is a Daemon to ban hosts that cause multiple authentication errors
And it uses iptables to do the work.
By default it won't block SMTP attacks, but you can edit its config file /etc/fail2ban/jail.local like this:
[...]
[sendmail]
enabled = true
port = smtp,ssmtp
filter = sendmail
logpath = /var/log/mail.log
bantime = 28800
action = iptables-multiport[name=sendmail, port="pop3,imap,smtp,pop3s,imaps,smtps", protocol=tcp]
Just make sure paths and ports are correct with your config.